The market adoption of wireless LAN (WLAN) technology has exploded, as users from a wide range of backgrounds and vertical industries brought this technology into their homes, offices, and increasingly into the public air space. This inflection point highlighted not only the limitations of earlier-generation systems, but the changing role WLAN technology now plays in people's work and lifestyles, across the globe. Indeed, WLANs are rapidly changing from convenience networks to business-critical networks. Increasingly users are depending on WLANs to improve the timeliness and productivity of their communications and applications, and in doing so, require greater visibility, security, management, and performance from their network.
As enterprises and other entities increasingly rely on wireless networks, security of wireless network environments becomes a critical component to ensure the integrity of the enterprise's network environment against unauthorized access. Indeed, wireless networks pose security risks not encountered in wired computer network, since any wireless client in the coverage area of an access point can potentially gain access to the network, or simply monitor the airwaves for wireless packets, without a physical connection. In an 802.11 wireless network, prior art security mechanisms are implemented in a variety of manners. For example, the 802.11 protocol provides for shared-key authentication according to which a wireless client must possess a shared secret key in order to establish a wireless connection with an access point. In addition, as with wired networks, the wireless network infrastructure can operate in connection with application level security mechanisms, such as a RADIUS, VPN, or other authentication server, to control access to network resources.
Wireless local area networks (WLAN) use high-frequency radio waves rather than wires to communicate between nodes. The distance over which radio frequency (RF) waves emanating from wireless corporate local networks can travel is primarily a function of the wireless network system capabilities and configuration (mostly, transmit power and receiver design), and the properties of the wireless signal propagation path. In an indoor environment, RF signal interactions with typical building objects—including walls, metal shelves, cubes, and even people—can affect the distance over which RF energy propagates, and thus what range and coverage a particular wireless network system achieves. Wireless LAN systems use RF signals, because radio waves have a desirable ability to penetrate most indoor walls and obstacles. The range for typical WLAN systems varies from under 100 meters indoors to more than 300 meters outdoors. However, the ability to penetrate walls and other obstacles is problematic for security sensitive networks, since the RF signals carrying wireless frames or packets are detectable outside the physical boundaries of an enterprise's physical infrastructure. Indeed, the RF signals associated with a given WLAN system may extend into the street, parking lots, adjacent floors of an office building, and even into other locally situated buildings.
Enterprises are becoming more aware of the security risks posed by WLAN systems. Ironically, now at the point where most Ethernet wall sockets are fairly secure points of entry to a corporate network, enterprises are breaking that security by making portions of the network accessible to anyone within listening range of the broadcasting radios. Indeed, there are a variety of publicly available tools that allow eavesdroppers to listen to the wireless network traffic of WLANs. For example, an eavesdropper armed with a laptop computer, a wireless network adapter and, optionally, a directional antenna, can often simply position himself outside an enterprise's building and detect wireless data packets by monitoring RF energy leaking from the building. Available software tools allow eavesdroppers to gain access to a variety of information from the captured data packets. For example, software tools allow the eavesdropper to obtain SSIDs in beacon frames, MAC addresses, channel assignments, and WEP encryption status. Data frames may also be recovered as well.
To address these concerns, enterprises currently rely on data encryption and other techniques to protect the data. Conceptually, at a higher level than the RF signal, the data (information content) carried on the RF signal is usually the point at which actual intellectual property is obtainable and security is now paramount. This level is usually the point at which data protection begins via data encryption. Data encryption does not 100% absolutely protect the data nor the security problem of unintended listening, only hinders. Readily available encryption methods of private key encryption, public key encryption, wireless encryption protocol (WEP), Virtual Private Networks (VPNs), are always at risk of having authentication information or other data allowing access being stolen, shared, or unintentionally released. In any event, if the encrypted data frames and packets are available to eavesdroppers, the question of access to that data is simply an issue of knowledge of the encryption technique, the encryption keys, and/or time to break the encryption scheme. For example, existing software tools either compute WEP encryption keys and/or decrypt data packets after a sufficient number of packets have been captured. Even with newly developed encryption protocols, it may only be a matter of time, computing power, or illicit access to encryption keys, before these encryption protocols are broken.
Accordingly, it would be desirable to confine WLAN RF signals potentially carrying sensitive or otherwise confidential data within a desired boundary, such as the perimeter of a physical space or building. However, shaping or focusing the signals from the radios employed in the WLAN could be extremely expensive and may actually adversely effect WLAN performance by narrowing the radio coverage area within the desired perimeter. In addition, while the use of materials within the outer walls of a physical space, for example, to confine WLAN RF signals may be possible, it is also quite expensive and may not be entirely effective.
In light of the foregoing, a need in the art exists for securing the perimeter of WLAN deployments in a manner that prevents meaningful access, or capture of, wireless packets or frames by unauthorized systems outside of the security perimeter. Embodiments of the present invention substantially fulfill this need.